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Abstract. Dependently typed programs contain an excessive amount of static terms 
which are necessary to please the type checker but irrelevant for computation. To sep- 
arate static and dynamic code, several static analyses and type systems have been put 
forward. We consider Pfenning's type theory with irrelevant quantification which is com- 
patible with a type-based notion of equality that respects 77-laws. We extend Pfenning's 
theory to universes and large eliminations and develop its meta-theory. Subject reduction, 
normalization and consistency are obtained by a Kripke model over the typed equality 
judgement. Finally, a type-directed equality algorithm is described whose completeness is 
proven by a second Kripke model. 



1. Introduction and Related Work 

Dependently typed programming languages such as Agda |BDN09j . Coq [INRlOj . and Epi- 
gram |MM04j allow the programmer to express in one language programs, their types, rich 
invariants, and even proofs of these invariants. Besides code executed at run-time, depen- 
dently typed programs contain much code needed only to please the type checker, which is 
at the same time the verifier of the proofs woven into the program. 

Program extraction takes type-checked terms and discards parts that are irrelevant for 
execution. Augustsson's dependently typed functional language Cayenne |Aug99 



erases 

types using a universe-based analysis. Coq's extraction procedure has been designed by 
Paulin-Mohring and Werner |PMW93] and Letouzey |Let02j and discards not only types 
but also proofs. The erasure rests on Coq's universe-based separation between prepositional 
(Prop) and computational parts (Set/Type). The rigid Prop/Set distinction has the draw- 
back of code duplication: A structure which is sometimes used statically and sometimes 
dynamically needs to be coded twice, once in Prop and once in Set. 

An alternative to the fixed Prop/Set-distinction is to let the usage context decide 
whether a term is a proof or a program. Besides whole-program analyses such as data 
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flow, some type-based analyses have been put forward. One of them is Pfenning's modal 
type theory of Intensionality, Extensionality, and Proof Irrelevance |Pfe01) . later pursued 
by Reed |Ree03] . which introduces functions with irrelevant arguments that play the role of 
proofsU Not only can these arguments be erased during extraction, they can also be disre- 
garded in type conversion tests during type checking. This relieves the user of unnecessary 
proof burden (proving that two proofs are equal). Furthermore, proofs can not only be 
discarded during program extraction but directly after type checking, since they will never 
be looked at again during type checking subsequent definitions. 

In principle, we have to distinguish "post mortem" program extraction, let us call it 
external erasure, and proof disposal during type checking, let us call it internal erasure. 
External erasure deals with closed expressions, programs, whereas internal erasure deals 
with open expressions that can have free variables. Such free variables might be assumed 
proofs of (possibly false) equations and block type casts, or (possibly false) proofs of well- 
foundedness and prevent recursive functions from unfolding indefinitely. For type checking 
to not go wrong or loop, those proofs can only be externally erased, thus, the Prop/Set 
distinction is not for internal erasure. In Pfenning's type theory, proofs can never block 
computations even in open expressions (other than computations on proofs), thus, internal 
erasure is sound. 

Miquel's Implicit Calculus of Constructions (ICC) |Miq01a| goes further than Pfenning 
and considers also parametric arguments as irrelevant. These are arguments which are irrel- 
evant for function execution but relevant during type conversion checking. Such arguments 
may only be erased in function application but not in the associated type instantiation. 
Barras and Bernardo |BB08j and Mishra-Linger and Sheard |MLS08j have built decidable 
type systems on top of ICC, but both have not fully integrated inductive types and types 
defined by recursion (large eliminations). Barras and Bernardo, as Miquel, have inductive 
types only in the form of their impredicative encodings, Mishra-Linger |ML08j gives in- 
troduction and elimination principles for inductive types by example, but does not show 
normalization or consistency. 

While Pfenning's type theory uses typed equality, ICC and its successors interpret typed 
expressions as untyped A-terms up to untyped equality. In our experience, the implicit 
quantification of ICC, which allows irrelevant function arguments to appear unrestricted in 
the codomain type of the function, is incompatible with type-directed equality. Examples 
are given in Section 12.31 Therefore, we have chosen to scale Pfenning's notion of proof 
irrelevance up to inductive types, and integrated it into Agda. 

In this article, we start with the "extensionality and proof irrelevance" fragment of 
Pfenning's type theory in Reed's version |Ree02t IReeOSj . We extend it by a hierarchy of 
predicative universes, yielding Irrelevant Intensional Type Theory IITT (Sec. [2]). After 
specifying a type-directed equality algorithm (Sec. [3]), we construct a Kripke model for 
IITT (Sec. H]). It allows us to prove normalization, subject reduction, and consistency, in 
one go (Sec. [5]). A second Kripke logical relation yields correctness of algorithmic equality 
and decidability of IITT (Sec. [6]). Our models are ready for data types, large eliminations, 
types with extensionality principles, and internal erasure (Sec. [7j). 



Awodey and Bauer [AB04) give a categorical treatment of proof irrelevance which is very similar to 
Pfenning and Reed's. However, they work in the setting of Extensional Type Theory with undecidable type 
checking, we could not directly use their results for this work. 
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Contribution and Related Work. We consider the design of our nieta-theoretic argu- 
ment as technical novelty, although it heavily relies on previous works to which we owe 
our inspiration. Allen |A1187j describes a logical relation for Martin-Lof type theory with a 
countable universe hierarchy. The seminal work of Coquand |Coq91| describes an untyped 
equality check for the Logical Framework and justifies it by a logical relation for dependent 
types that establishes subject reduction, normalization, completeness of algorithmic equal- 
ity, and injectivity of function types in one go. However, his approach cannot be easily 
extended to a typed algorithmic equality, due to problems with transitivity. 

Goguen introduces Typed Operational Semantics |Gog94| to construct a Kripke logical 
relation that simultaneously proves normalization, subject reduction, and confluence for a 
variant of the Calculus of Inductive Constructions. From his results one can derive an equal- 
ity check based on reduction to normal form. Goguen also shows how to derive syntactic 
properties, such as closure of typing and equality under substitution, by a Kripke-logical 
relation [GogOO 



Harper and Pfenning |HP05j popularize a type-directed equality check for the Logical 
Framework that scales to extensionality for unit types. They prove completeness of algo- 
rithmic equality by a Kripke model on simple types which are obtained by erasure from the 
dependent types. Erasure is necessary since algorithmic equality cannot be shown transitive 
before it is proven sound; yet soundness hinges on subject reduction which rests on function 
type injectivity which in turn is obtained from completeness of algorithmic equality — a vi- 
cious cycle. While erasure breaks the cycle, it also prevents types to be defined by recursion 
on values (so-called large eliminations), a common feature of proof assistants like Agda, 
Coq, and Epigram. 

Normalization by evaluation (NbE) has been successfully used to obtain a type-directed 
equality check based on evaluation in the context of dependent types with large eliminations 
|AGD07] . In previous work [AGD08] . the first author applied NbE to justify a variant of 
Harper and Pfenning's algorithmic equality without erasure. However, the meta-theoretic 
argument is long-winded, and there is an essential gap in the proof of transitivity of the 
Kripke logical relation. 

In this work, we explore a novel approach to justify type-directed algorithmic equality 
for dependent types with predicative universes. First, we show its soundness by a Kripke 
model built on top of definitional equality. The Kripke logical relation yields normalization, 
subject reduction, and type constructor injectivity, which also imply logical consistency of 
IITT. Further, it proves syntactic properties such as closure under substitution, following 
Goguen's lead |GogOO| . The semantic proof of such syntactic properties relieves us from 
the deep lemma dependencies and abundant traps of syntactic meta-theory of dependent 
types |HP051 IAC07J . Soundness of algorithmic equality entails transitivity (which is the 
stumbling stone) , paving the way to show completeness of algorithmic equality by a second 
Kripke logical relation, much in the spirit of Coquand |Coq91] and Harper and Pfenning 

[hFos] . 

This article is a revised and extended version of paper Irrelevance in Type Theory with 
a Heterogeneous Equality Judgement presented at the conference FoSSaCS 2011 [Abellj . 
Unfortunately, the conference version has inherited the above-mentioned gap |ACD08j in 
the proof of transitivity of the Kripke logical relation. This is fixed in the present article 
by an auxiliary Kripke model (Section [3]). Further, we have dropped the heterogeneous 
approach to equality in favor of a standard homogeneous one. Heterogeneous equality is 
not necessary for the style of irrelevance we are embracing here. 
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2. Irrelevant Intensional Type Theory 

In this section, we present Irrelevant Intensional Type Theory IITT which features two of 
Pfenning's function spaces [PfeOlj , the ordinary "extensional" [x -.U) -^ T and the proof 
irrelevant {x-\rU) — )> T. The main idea is that the argument of a {x^U) -^ T function is 
counted as a proof and can neither be returned nor ehminated on, it can only be passed 
as argument to another proof irrelevant function or data constructor. Technically, this is 
realized by annotating variables as relevant, x:U^ or irrelevant, x-i-C/, in the typing context, 
to confine occurrences of irrelevant variables to irrelevant arguments. 

Expression and context syntax. We distinguish between relevant [t'u or simply tu) and 
irrelevant application {t~u). Accordingly, we have relevant (Ax: U.T) and irrelevant ab- 
straction (Ax-7-C/. T). Our choice of typed abstraction is not fundamental; a bidirectional 
type-checking algorithm |Coq96| can reconstruct type and relevance annotations at abstrac- 
tions and applications. 

Var 3 x,y,X,Y 

Sort 3 s ::= Setfc {k G N) universes 

Ann 3 -k ::= -^ | : annotation: irrelevant, relevant 

s,s' 

Exp 3 t,u,T,U ::= s \ (x-kU) -4> T sort, (ir)relevant function type 

I X I Xx-kU. t \ t*u lambda-calculus 
Cxt 9 r, A ::= o | r.x*T empty, (ir)relevant extension 

Expressions are considered modulo a-equality, we write t = t' when we want to stress that t 
and t' identical (up to a). Similarly, we consider variables bound in a context to be distinct, 
and when opening a term binder we will implicitly use a-conversion to add a fresh variable 
in the context. 

For technical reasons, namely, to prove transitivity (Lemma 14. 3p of the Kripke logical 

relation in Section [U we explicitly annotate function types (x-kU) ^ T with the sorts 
s of domain U and s' of codomain T. We may omit the annotation if it is inessential or 
determined by the context of discourse. In case T does not mention x, we may write U ^ T 
for (x : [/) —7- T. 

Sorts. IITT is a pure type system (PTS) with infinite hierarchy of predicative universes 
Seto : Seti : .... The universes are not cumulative. We have the PTS axioms Axiom = 
{(Setj,Setj4-i) I z G N} and the rules Rule = {(Seti,Setj, Setinax(i,j)) I hj ^ I^}- As 
is customary, we will write the side condition {s,s') G Axiom just as {s,s') and likewise 
(si, 82,53) G Rule just as (si, 52,^3). IITT is a full and functional PTS, which means that 
for all si,S2 there is exactly one S3 such that {si, 82,83). There is no subtyping, so that 
types — and thus, sorts — are unique up to equality. A proof of sort unicity might relieve us 
from the sort annotation in function types, however, we obtain sort discrimination too late 
in our technical development (Lemma lS.lOp . 

Substitutions. Substitutions a are maps from variables to expressions. We require that the 
domain dom{a) = {x \ <t(x) 7^ x} is finite. We write id for the identity substitution and [u/x] 
for the singleton substitution a such that a{x) := u and cr{y) := y ior y ^ x. Substitution 
extension {a, u/x) is formally defined as a tt) [u/x]. Capture avoiding parallel substitution 
of o" in t is written as juxtaposition ta. 



IRRELEVANCE IN TYPE THEORY 



Contexts. Contexts T feature two kinds of bindings, relevant {x : U) and irrelevant (x -i- U) 
ones. The intuition, implemented by the typing rules below, is that only relevant variables 
are in scope in an expression. Resurrection T~ turns all irrelevant bindings {x -i- T) into the 
corresponding relevant ones {x:T) |Pfe01j . It is the tool to make irrelevant variables, also 
called proof variables, available in proofs. The generalization F* shall mean T~ if * = -^, 
and just F otherwise. We write F.A for the concatenation of F and A; herein, we suppose 
dom(F)ndom(A) = 0. 

Primitive judgements of IITT. The following three judgements are mutually inductively 
defined by the rules given below and in Figured) 

h F Context F is well- formed. 

F h t : T In context F, expression t has type T. 

T \- t = t' : T In context F, t and t' are equal expressions of type T. 

Derived judgements. To simplify notation, we introduce the following four abbreviations: 
F h t H- T iff F^ h t : T, 



F h t = t' H- T 


iff 


F h t H- T and F h t' H- T, 


F hT 


iff 


F h T : s for some s, 


F \-T = T' 


iff 


F h T = T' : s for some s. 



T \- t -k T may mean F \- t : T or T \- t ^ T, depending on the value of placeholder *; 
same for F \- t = t' -kT. We sometimes write F h i, t' * T to abbreviate the conjunction of 
T \- t-kT and F \- t' -kT. The notation F \- T,T' is to be understood similarly. 

2.1. Rules. Our rules for well-typed terms T \- t : T extend Reed's rules |Ree02j to PTS 
style. There are only 6 rules; we shall introduce them one-by-one. 

Variable rule. Only relevant variables can be extracted from the context. 

hF {x:U)eT 

r hx:U 

There is no variable rule for irrelevant bindings (x ^ U) € F, in particular, the judgement 

x^U \- X : U is not derivable. This essentially forbids proofs to appear in relevant positions. 

Abstraction rule. Relevant and irrelevant functions are introduced analogously. 

F. x^U ht:T F h {xkU) '4 T 



s,s' 



F h Xxk:U. t : {x-kU) ^ T 

To check a relevant function Ax : U. t, we introduce a relevant binding x : U into the context 
and continue checking the function body t. In case of an irrelevant function Xx-\rU. t, we 
proceed with an irrelevant binding x -\r U. This means that an irrelevant function cannot 
computationally depend on its argument — it is essentially a constant function. In particular, 
Ax-7-C/. X is never well-typed. 

As a side condition, we also need to check that the introduced function type (xkcU) ^ T 
is well-sorted; the rule is given below. 
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Application rule. 

r h t : (x^U) ^T r h -u * [7 

r ht*u:T[u/x] 
This rule uses our overloaded notations for bindings *, that can be specialized into two 
different instances for relevant and irrelevant applications. 

For relevant functions, we get the ordinary dependently-typed application rule: 

rht:(x:C/)^r rhn:C/ 

r h t ti : T[u/x\ 

When applying an irrelevant function, we resurrect the context before checking the function 
argument. 

r h t : (xH-f/) ^ T r- h n : [/ 

r 'rt^u:T[u/x\ 
This means that irrelevant variables become relevant and can be used in u. The intuition is 
that the application t ~u does not computationally depend on u, thus, u may refer to any 
variable, even the "forbidden ones" . One may think of li as a proof which may refer to both 
ordinary and proof variables. 

For example, let F = / : (y^U) -^ U. Then the irrelevant 77-expansion Xx^U. f~x is 
well-typed in F, with the following derivation: 



T. x^U h f -.{y^U) ^U T. x:U hx:U 

T. x^U h f-^x-.U 

F h Xx^U.f^x: ix^U) -^ U 
Observe how the status of x changes for irrelevant to relevant when we check the argument 
of/. 

Sorting rules. These are the "Axioms" and the "Rules" of PTSs to form types. 

HF ^ ,^ F hC/:si r.xi^U h T : 53 , 

fTT^^^' "" ^ T- , , ,,, s^,s, ^ (^1' ^2, S3) 

i^ r s . s Y \- [x-kU) -^ T : S2, 

The rule for irrelevant function type formation follows Reed |Ree02] . 

T hU -.si r.x-^ hT:s2 , 

jTTo (si, 52,53) 

F h (x^U) '4' T : S3 

It states that the codomain of an irrelevant function cannot depend relevantly on the func- 
tion argument. This fact is crucial for the construction of our semantics in Section HI Note 
that it rules out polymorphism in the sense of Barras and Bernado's Implicit Calculus of 
Constructions ICC* |BB08j and Mishra-Linger and Sheard's Erasure Pure Type Systems 
EFTS |MLS08| : the type (Xn-Seto) ^ (x-.X) ^ X is ill-formed in IITT, but not in ICC* 
or EFTS. In EFTS, there is the following rule: 

F hf/:si r.x:U h T : S2 , 

jTTo (51,52, S3) 

F h (x^U) H^ T : S3 

It allows the codomain T of an irrelevant function to arbitrarily depend on the function 
argument x. This is fine in an erasure semantics, but incompatible with our typed semantics 
in the presence of large eliminations; we will detail the issues in examples 12.31 and 12.81 
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Another variant is Pfenning's rule for irrelevant function type formation jPfeOlj . 

r h [/ H- si r. x4^ h T : S2 , 

jr-To {si,S2,S3) 

r h (x^U) '4' T : S3 

It allows the domain of an irrelevant function to make use of irrelevant variables in scope. 
It does not give polymorphism, e.g., (X-^Setg) -^ {x:X) — ?> X is still ill-formed. However, 
(X-^Seto) -^ (x^X) -^ X would be well-formed. It is unclear how the equality rule for 
irrelevant function types would look like — it is not given by Pfenning |Pfe01] . The rule 

r h [/ = [/' ^ si r. x-fC/ h T = T' : S2 , 

— — —— (•Sl,S2,S3) 

r h {x^u) '4' T = {x-rU') 4' r -. s-s 

would mean that any two irrelevant function types are equal as long as their codomains are 
equal — their domains are irrelevant. This is not compatible with our typed semantics and 
seems a bit problematic in generalU 

Type conversion rule. We have typed conversion, thus, strictly speaking, IITT is not a PTS, 
but a Pure Type System with Judgemental Equality |Ada06j . 



F' ht:T' 

Equality. Figure [U recapitulates the typing rules and lists the rules to derive context well- 
formedness h F and equality F \- t = t' : T. Equality is the least congruence over the (3- 
and ?/- axioms. Since equality is typed we can extend IITT to include an extensional unit 
type (Section [7]). Let us inspect the congruence rule for application: 

Vht = t': {x*U) ^T Fh'u = n'*C/ 

F 'rt*u = t'*u' : T[u/x\ 

In case of relevant functions (* = :) we obtain the usual dependently- typed application rule 
of equality. Otherwise, we get: 

Vht = t':{x^U)^T F-hu:;/ F- h n' : [/ 

F ht-u = t'-u' -.Tlu/x] 

Note that the arguments u and u' to the irrelevant functions need to be well-typed but not 
related to each other. This makes precise the intuition that t and t' are constant functions. 

2.2. Simple properties of IITT. In the following, we prove two basic invariants of deriv- 
able IITT-judgements: The context is always well- formed, and judgements remain derivable 
under well- formed context extensions (weakening). 

Lemma 2.1 (Context well-formedness). 
(1) If^T.x-.U.V thenF hU. 
{2)Ifr\-t:TorT\-t = t':T then h F. 

Proof. By a simple induction on the derivations. D 



This is why Reed |Ree02] differs from Pfenning. 
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Context ^vell-formedness. 



hr 



ho 



hr r hr 
h r. x^r 



Typing. 



r ht :T 



h r ^ ,^ r h [/ : si r. x*C/ h T : S2 , 

r h s : s' r h {xi<U) H' T : S3 

hr {x:U)er r.xi^uht-.T rh(x*?7)'4'r 

^ ^ ^ • ^ r h Xxi<U. t : (xi^U) '4 T 

r h i : {xi.u) ^T rhn*c/ FhtiT rhr = r' 

r ht'^u:T[u/x] r' h t : T' 

Equality. 

Computation (/3) and extensionality (77). 

r. x*f/ h t : T r h n * [/ 
r h (Ax*C/. t) -u = t[u/x] : r[n/x] y ^t = Xxi<U. t *x : {xi.U) "4 T 

Equivalence rules. 

rhiiT rht = t'lT T hti = t2:T T h t2 = ts : T 

r ht = t:T r ht' = t:T 

Compatibility rules. 

T hU = U' -.si r. x^C/ h T = T' : S2 



r ht = t' :T 



r h t : (x*C/) 4 T 



Sl,S2 



{si, 82,83) 



r h (x*C/) 4' T = (x*t/') 4' T' : S3 

r h [/ = [/': si r. x*u h r : S2 r. x^c/ h t = t' : r 



Conversion rule 



r h Xx*u. t = . 


\x*U' 


t' : {x*U) '4' 


T 


Tht = t':{x*U) 


^T 


r h u = n' 


*U 


r \-t*u 


= t'*u' : T[u/x] 




T ht = t' 


T 


r h r = T' 





r ht = t' :T' 



Figure 1: Rules of IITT 
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It should be noted that we only prove the most basic well-formedness statements here. 
One would expect that T \- t : T or T \- t = t' : T also implies T h T, or that T h t = t' : T 
implies T \- t : T. This is true — and we will refer to these implications as syntactic 
validity — but this cannot be proven without treatment of substitution, due to the typing 
rule for application, which requires substitution in the type, and due to the equality rule 
for a /3-redex, which uses substitution in both term and type. Therefore, syntactic validity 
is delayed until Section [^ (Corollarv 14. 17|) . where substitution will be handled by semantic, 
rather than syntactic, methods. 

Weakening. We can weaken a context T by adding bindings or making irrelevant bindings 
relevant. Formally, we have an order on binding annotations, which is the order induced by 
: < -^, and we define weakening by monotonic extension. 

A well- formed context h A extends a well- formed context h F, written A < F, if and 
only if: 

Vx G dom(F), {x *i ^) G F =^ (x +2 ^) € A with i<i < •2- 
Note that this allows to insert new bindings or relax existing ones at any position in F, not 
just at the end. 

Lemma 2.2 (Weakening). Let A < F. 

(1) // h F.F' and dom(A) n dom(F') = then h A.F'. 

(2) IfT ht:T then A ht:T. 

{3) IfV \-t = t' : T' then A h t = t' : T. 

Proof. Simultaneously by induction on the derivation. Let us look at some cases: 

Case 

hF , „ 



F ^ s = s:s' 


y^o, 


By assumption h A, thus A \- s = s : s' . 




Case 




{x:U) GF 


hF 



F \- X = X : U 
Since A < F we have {x:U) G A, thus A \- x = x : U. 

Case 

T \-U =U' : si F. x*U \- T : S2 F. xi^U \- t = t' : T 

F h Xx*U. t = Xx*U'. t' : {x*U) '^4^ T 
W. 1. o. g., X dom(A). By ([T]) and definition of context weakening, A < F implies 
A. x-kU < F. x-kU, so all premises can be appropriately weakened by induction hypothesis. 

D 



2.3. Examples. 

Example 2.3 (Relevance of types). |j We can extend IITT by a unit type 1 with exten- 
sionality principle. 

hF hF Fht:l Fht':l 



F h 1 : Seti F h : 1 F h t = t' : 1 



n 

Example suggested by a reviewer of this paper. 
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Typed equality allows us to equate all inhabitants of the unit type. As a consequence, the 
Church numerals over the unit type all coincide, e. g., 

r h A/:l ^ l.Axil.x 

= A/:l ^ l.Ax:l./x : (1 ^ 1) ^ 1 ^ 1. 

In systems with untyped equality, like ICC* and EPTS, these terms erase to untyped 
Church-numerals XfXx.x and A/Ax. / x and are necessarily distinguished. 

If we trade the unit type for Bool or any other type with more than one inhabitant, the 
two terms become different in IITT. This means that in IITT, types are relevant, and we 
need to reject irrelevant quantification over types like in (X-^Seto) -^ {X — >■ X) -^ X ^ X. 
In IITT, the polymorphic types of Church numerals are (X:Setj) — )■ {X — )> X) -^ X ^ X. 

Example 2.4 (S-types). IITT can be readily extended by weak S-types. 

r hf/:si r.xi^U ^T -.82 , 

r U ( ^TT\ ^ -r (•Sl,S2,S3) 

I h (xi^U) X 1 : S3 

Thu*U rht:T[u/x] rh{x*U)xT 
r h {u,t) : {xi.U) xT 

r h p : (x-kU) X T T.x-kU.y.T hv -.V 
r h let {x,y) = p \n V -.V 

Thu*U Tht:T[u/x] T.x^U.y.T h v. V T h {x*U) x T 

r h (let {x,y) = {u,t) in v) =v[u/x][t/y] : V 

Additional laws for equality could be considered, like commuting conversions, or the identity 
(let {x,y) = p \n {x,y)) = p. The relevant form {x:U) x T admits a strong version with 
projections fst and snd and full extensionality p = {fstp, sndp) : {x : U) x T . However, 
strong irrelevant S-types {x^U) x T are problematic because of the first projection: 

r h p : {x^U) X T 

TV^stpTu 

With our definition of F \- u ^ U as T~ \- u : U, this rule is misbehaved: it allows us 
get hold of an irrelevant value in a relevant context. We could define a closed function 
TTi : (x-^U) X 1 — > ?7, and composing it with (_, ()) : (x-^C/) -^ (x-^f7) x 1 would give us 
an identity function of type (x-i-C/) — ?• U which magically makes irrelevant things relevant 
and IITT inconsistent. In this article, we will not further consider strong S-types with 
irrelevant components; we leave the in-depth investigation to future work. 

Example 2.5 (Squash type). The squash type ||T|| was first introduced in the context 
of NuPRL [CAB"*" 86] : it contains exactly one inhabitant iff T is inhabited. Semantically, 
one obtains ||T|| from T by equating all of T's inhabitants. In IITT, we can define ||T|| as 
internalization of the irrelevance modality, as already suggested by Pfenning [PfeOlj . The 
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first alternative is via the weak irrelevant S-type. 

Setj — > Setj 

(_-r) X 1 

(x-T) ^ ||T|| 

sqelim (T : Seti) (P : ||r|| -^ Setj) (/ : (xH-T) -^ P [x]) (t : ||r||) 
: Pt 
:= let (x, _) = t in /"^x 

It is not hard to see that ||_|| is a monad. All canonical inhabitants of ||r|| are definitionally 
equal: 

r htA' ^T 



r h [t] = [f] : ||r|| 

This is easily shown by expanding the definition of [_] and using the congruence rule for 
pairs with an irrelevant first component. 

However, we cannot show that all inhabitants of ||T|| are definitionally equal, because 
of the missing extensionality principles for weak S. Thus, the second alternative is to add 
the squash type to IITT via the rules: 

r h T : Set, r ht^T T h t : \\T\\ T.x-^T h v : V 



r h ||r|| : Seti r h [t] : ||T|| T h\et[x]=t\nv:V 

r h i, t' : IITII r h t H- T T.x-^T hv.V 



r h i = t' : ||r|| r h (let [x] = [t] in v) = v[t/x] : V 

Our model (Section[3|) is ready to interpret these rules, as well as normalization-by-evaluation 
inspired models [ACPllj . 

Example 2.6 (Subset type). The subset type {x : U \ T} is definable from S and squash 
as {x:U) X \\T\\. 

To discuss the next example, we consider a further extension of IITT by Leibniz equality 
and natural numbers: 

for A : Setj and a,b : A 
for A : Seti and a : A 



a = b 


Setj 


refl 


a = a 


Nat 


Set, 


0,1,... 


Nat 


+,* 


Nat- 



Nat -^ Nat. 

Example 2.7 (Composite), u Let the set of composite numbers {4, 6, 8, 9, 10, 12, 14, 15, . . . } 
be numbers that are the product of two natural numbers > 2. 

Composite = {n : Nat | {k : Nat) x {I : Nat) x {n = {k + 2) * {I + 2))} 

Most composite numbers have several factorizations, and thanks to irrelevance the specific 
composition is ignored when handling composite numbers. For instance, 12 as product of 3 
and 4 is not distinguished from the 12 as product of 2 and 6. 

(12, [(1, (2, refl))]) = (12, [(0, (4, refl))]) : Composite. 



Example suggested by reviewer. 
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Example 2.8 (Large eliminations). The ICC* jBEOSj or EPTS [MLSOSj irrelevant func- 
tion type {x ^ A) -^ B allows x to appear relevantly in B. This extra power raises some 
issues with large eliininations. Consider 

T : Bool -^ Seto 

T true = Bool -^ Bool 
T false = Bool 

t = XF: (ft^Bool) ^ (T 6 ^ T 6) ^ Seto- 

\g : (F-^false (Ax : Bool.x)) -^ Bool. 
Xa : F~true (Ax : Bool — )• Bool. Ay : Bool.xy). ga. 

The term t is well-typed in ICC* + T because the domain type of g and the type of a are 
/3ry-equal after erasure (— )* of type annotations and irrelevant arguments: 

(F^false (Ax : Bool.x))* = F (Axx) 

=l3n F (XxXy.xy) = (F~true (Ax : Bool -^ Bool. Ay : Bool.xy))* 

While a Curry view supports this, it is questionable whether identity functions at different 
types should be viewed as one. It is unclear how a type-directed equality algorithm (see 
Sec. E]) should proceed here; it needs to recognize that x : Bool is equal to Ay : Bool.xy : 
Bool -^ Bool. This situation is amplified by a unit type 1 with extensional equality. When 
we change Ttrue to 1 and the type of a to F~true (Ax: 1. ()) then t should still type-check, 
because Ax. () is the identity function on 1. However, r/-equality for 1 cannot be checked 
without types, and a type-directed algorithm would end up checking (successfully) x : Bool 
for equality with () : 1. This algorithmic equality cannot be transitive, because then any 
two booleans would be equal. 

Summarizing, we may conclude that the type of F bears trouble and needs to be 
rejected. IITT does this because it forbids the irrelevant b in relevant positions such as 
T b; ICC* lacks T altogether. Extensions of ICC* should at least make sure that b is never 
eliminated, such as in T b. Technically, T would have to be put in a separate class of recursive 
functions, those that actually compute with their argument. We leave the interaction of 
the three different function types to future research. 

3. Algorithmic Equality 

The algorithm for checking equality in IITT is inspired by Harper and Pfenning |HP05] . 
Like theirs, it is type-directed, but we are using the full dependent type and not an erasure 
to simple types (which would anyway not work due to large eliminations). We give the 
algorithm in form of judgements and rules in direct correspondence to a functional program. 

Algorithmic equality is meant to be used as part of a type checking algorithm. It is 
the algorithmic counterpart of the definitional conversion rule; in particular, it will only be 
called on terms that are already know to be well-typed ~ in fact, types that are well-sorted. 
We rely on this precondition in the algorithmic formulation. 

Algorithmic equality consists of three interleaved judgements. A type equality test 
checks equality between two types, by inspecting their weak head normal forms. Terms 
found inside dependent types are reduced and the resulting neutral terms are compared by 
structural equality. The head variable of such neutrals provides type information that is 



Inspired by discussions with Ulf Norell during the 11th Agda Implementers' Meeting. 
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then used to check the (non- normal) arguments using type- directed equality, by reasoning on 
the (normahzed) type structure to perform ry-expansions on product types. After enough 
expansions, a base type is reached, where structural equality is called again, or a sort, at 
which we use type equality. 

Informally, the interleaved reductions are the algorithmic counterparts of the /3-equality 
axiom, the type and structural equalities account for the compatibility rules, and type- 
directed equality corresponds to the 77-equality axiom. The remaining equivalence rules are 
emergent global properties of the algorithm. 

Weak head reduction. Weak head normal forms (whnfs) are given by the following grammar: 

Whnf 3 a, b, /, A, B, F ::= s\ {x*U) ^4' T \ XxW. t \ n whnf 

Wne 3 n,N ::= x \ n*u neutral whnf 

Weak head evaluation t \ a and active application f @* u \ a are functional relations 
given by the following rules. 

t\f f@*u\a t[u/x]\a 

t*u\ia a\ja {Xx-kU.t)@* u\i a n@* u\in*u 

Instead of writing the propositions t \ a and P[a] we will sometimes simply write -P[4i]. 
Similarly, we might write P[f @* u] instead of / @* u \ a and P[a]. In rules, it is understood 
that the evaluation judgement is always an extra premise, never an extra conclusion. 

Algorithmic equality is given as type equality, structural equality, and type-directed 
equality, which are mutually recursive. The equality algorithm is only invoked on well- 
formed expressions of the correct type. 

Type equality. Type equality A h A -^^ A', for weak head normal forms, and A \- T 4=» 
T', for arbitrary well-formed types, checks that two given types are equal in their respective 
contexts. 

A h ;r ^^ ;r' a h iv ^^ n' -. t 
~aF¥^^t~ a h n ^^ n' 

AhU4^U' A.x:U hT4^T' 



Note that when invoking structural equality on neutral types A^ and A^', we do not care 
which type T is returned, since we know by well-formedness that A^ and A^' must have the 
same sort. 

Structural equality. Structural equality A h n i — > n' : A and A \- n -f^^ n' : T checks the 
neutral expressions n and n' for equality and at the same time infers their type, which is 
returned as output. 

A h n ^^> n' :T (x:T) £ A 



A \- n i — y n' : \T A h x ^^ x : T 

A hn i — > n' : {x:U) ^T A h n 4^ u' : U A h n < — > n! : (x^U) -^ T 



A \- nu ^-^^ n' u' : T[u/x] A \- n '■ u ^-^^ n' '■ u' : T[u/x] 
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Type- directed equality. Type-directed equality A h t <;=^ t' : A and A h t 4=^ t' : T checks 
terms t and t' for equality and proceeds by the structure of the supplied type, to account 
for 77. 

A\-t^^t':iT A.x*U ht*x<^t'*x:T 

A h t 4^ t' : T A h t ^^ t' : {x*U) -^ T 

A \-T <^ r A hit f^^ it' : T 

A I- T -^^ T' : s A h t ^^ t' : N 

Note that in the but-last rule we do not check that the inferred type T of it equals the 
ascribed type A^. Since algorithmic equality is only invoked for well-typed t, we know that 
this must always be the case. Skipping this test is a conceptually important improvement 
over Harper and Pfenning |HP05j . 

Due to dependent typing, it is not obvious that algorithmic equality is symmetric and 
transitive. For instance, consider symmetry in case of application: We have to show that 
A h n' u' <-^^ n u : T[u/x], but using the induction hypothesis we obtain this equality only 
at type T[u'/x]. To conclude, we need to convert types, which is only valid if we know 
that u and u' are actually equal. Thus, we need soundness of algorithmic equality to show 
its transitivity. Soundness w. r. t. declarative equality requires subject reduction, which is 
not trivial, due to its dependency on function type injectivity. In the next section (j3|), 
we construct by a Kripke logical relation which gives us subject reduction and soundness 
of algorithmic equality (Section [5]), and, finally, symmetry and transitivity of algorithmic 
equality. 

A simple fact about algorithmic equality is that the inferred types are unique up to 
syntactic equality (where we consider a-convertible expressions as identical). Also, they 
only depend on the left hand side neutral term n. 

Lemma 3.1 (Uniqueness of inferred types). 

(1) If A \- n i — > ni : Ai and A \- n < — > n2 : A2 then Ai = A2. 

(2) // A h n f^ ni : Ti and A h n f^ ^2 : T2 then Ti=T2. 

Extending structural equality to irrelevance, we let 

A"^ h n < — > n : A A"^ h n' < — > n' : A 



A \- n < — > n' ^ A 
and analogously for A h n -f^^ n' ^T. 

4. A Kripke Logical Relation for Soundness 



In this section, we construct a Kripke logical relation in the spirit of Goguen GogOO 
and Vanderwaart and Crary JVC02J that proves weak head normalization, function type 
injectivity, and subject reduction plus syntactical properties like substitution in judgements 
and syntactical validity. As an important consequence, we obtain soundness of algorithmic 
equality w. r. t. definitional equality. This allows us to establish that algorithmic equality 
on well-typed terms is a partial equivalence relation. 
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4.1. An Induction Measure. Following Goguen Gog94 and previous work |ACD08] . we 



first define a semantic universe hierarchy Uj whose sole purpose is to provide a measure for 
defining a logical relation and proving some of its properties. The limit U^ corresponds to 
the proof-theoretic strength or ordinal of IITT. 

We denote sets of expressions by A, B and functions from expressions to sets of expres- 
sions by T. Let A = {t \ \.t ^ A} denote the closure of A by weak head expansion. The 
dependent function space is defined asYiAT = {f& Whnf | Vn G ^. / @ u G F{u)}. 

By recursion on i G N we define inductively sets U, C Whnf x P(Whnf) as follows 
|ACD08[ Sec. 5.1]: 

(Setj,Seti) G Axiom 



(Af,Wne)GUi (Set^, |Uj|) G U^ 

([/, A) G U i Vn G A. {T[u/x\,F{u)) G U] 



(Seti,Setj,Setfc) G Rule 



{{xirU)^T,JlAT) G Ufc 

Herein, U^ = {{T,A) \ {\T,A) G U^} and |Uj| = {A \ {A, A) G Uj for some A}. Only 
interested in computational strength, we treat relevant and irrelevant function spaces alike — 
at the level of predicates A, irrelevance is anyhow not observable, only by relations as given 
later. 

The induction measure A G Setj shall now mean the minimum height of a derivation of 
{A, A) G Uj for some A. Note that due to universe stratification, A G Setj is smaller than 
Setj G Setj. 

4.2. A Kripke Logical Relation. Let A h t :=: t' -kT stand for the conjunction of the 
propositions 

• A h t * T and A h t' * T, and 

• A \-t = t'*T. 

By induction on ^4 G s we define two Kripke relations 

A h A® A' : s 
A \- a® a' : A. 

together with their respective closures (S) and the generalization to -k. For better readability, 
the clauses are given in rule form meaning that the conclusion is defined as the conjunction 
of the premises. V and =^ are meta-level quantification and implication, respectively. 

A h N :=: N' : s A h n : = : n' : N h A 

A h iV (D iV' : s A h n (D n' : iV A h s (S) s : s' ^^'^' 

A hUi)U' :si 

Vr<A, rhui)n'*C/ =^ FH T[u/x] © T'[u'/x] : S2 
A h {x*U) "'4' T :=: (x^C/') "'4' T' : S3 



A h (xi^U) 4' T © {xi<U') 4' T' : S3 

VF < A, T hu®u'*U =^ T h f*u®f'*u' : T[u/x] 
A h /:=:/' : (x^U) '4 T 



(81,82,83) 



s.s' 



Ah/©/': {x*U) '4 T 
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T\A AhT = A 

A \-t = a: A A \- t' = a' : A 
A \- a(i)a' : A 
A ht:=:t':T 



A h t (D t' : r 

A^ ha(s)a: A A^ h a' © a' : ^ A^^ h t (f) t : T A^ h t' © t' : T 



Aha©a'^^ Aht©i'H-r 

It is immediate that the logical relation contains only well-typed and definitionally equal 
terms. We will demonstrate that it is also closed under weakening and conversion, symmetric 
and transitive. 

Lemma 4.1 (Weakening). 

(1) If A \- a (^ a' : A and F < A then there exists a derivation ofT \- a (^ a' : A with the 
same height. 

(2) Analogously for A \- t®t' :T. 

Proof. By induction on ^ € s and T ^ s, resp. D 

Lemma 4.2 (Type conversion). 

(1) IfV ^ A(i)A' -.s then T ^a(i)a':AiffY h a © a' : yl'. 

(2) // r h r © T' : s then T hti)t':TiffT h t ® t' : T' . 

Proof. Simultaneously induction in ^ € s and T S s, resp. We show the "if" direction, the 

"only if" follows analogously. The interesting case is the one of functions. 

Case 

A hU®U' -.si 

vr<A, rh'u©u'*c/ =^ rh t[u/x] © t'[u'/x] -. S2 

A h (x*J7) "H' T :=: {xirU') "'4' T' : S3 
A h {xi<U) "H^ T © (x^C/') '^' T : S3 

Vr < A, T hu$)u'*U =^ T h f*u$)f'*'u' : T[u/x] 
A h / : = : f : jx^U) '4 T 

Ah/©/': (xW) 4 T 

s s' 

First, A \- f :=: f : {x-kU') -4- T', holds because of the conversion rule for typing and 
equality. Now assume arbitrary F < A and F h u © u' * [/' and show F h / *n © 
/'*u' : T'[u/x\. By induction hypothesis on [/ € si we have F \- u (^ u' -k U , thus, 
F h /*u © f'*u' : T[u/x\ by assumption. By induction hypothesis on T[u/x\ G S2 we 
obtain F h /^u © /' V : T'[u/x\. 

D 

Lemma 4.3 (Symmetry and Transitivity). Let A \- T (^T : s. 

(1) If A ht®t' -.T then A h t' © t : T. 

(2) If A hti®t2:T and A ht2®ts:T then A h ti © ts : T. 
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Proof. We generalize the two statements to whnfs A \- A (§) A : s and prove all four 
statements simultaneously by induction in A € s and T ^ s, resp. 
Case Let us look at the case for functions. 

AhU®U :si 

vr<A, r hu®u'i.u =^ rh t[u/x] ® t[u'/x] -. S2 

A h (x+C/) "'4' T :=: (x*f/) "'4' T : S3 

A h (x^C/) '4^ T ® {xi<U) "4^ T : S3 
Case Symmetry: 

yr<A,rhu®u'i^u^r h f*u®f'*u' :T[u/x] 

A h / :=: /^ jx^U) ^ T 

Ah/©/': (x^U) -^ T 

To show A \- f ® f : (xi^U) -^ T, assume arbitrary T < A and T \- u' ® u-kU 
and show T h f'*u' ® f*u : T[u'/x]. By induction hypothesis on [/ € S2, with 
weakened T h U ® U : si, we have T hu®u'i^U, thus, T h f*u® f'*u' : T[u/x] 
by assumption. Using symmetry and transitivity on U we obtain T \- u (g) u -k U, 
thus, r h T[n/x] (S) T[u/x] : S2- By induction hypothesis on T[u/x] E S2 we apply 
symmetry to obtain T h f'*u' (S) /*u : r[ti/2;], and since T h T[n/x] (S) T[u'/x] : S2 
we conclude by type conversion (Lemma 14. 2p . 
Case Transitivity: 

Vr < A, T hu$)u'*U =^ T h fi*u$)f2*u' : T[u/x] 

A h /i : = : /2 : jx^U) '4 T 

A h /i (D /2 : (x^U) '4' T 



yr<A,Thu(i)u'*U =^ r h /2 *n (D /s *«' : T[u/x] 

A h /2 :=: h ■■ jx^U) '4' T 

A h /2 (D /3 : {x*U) 4' T 



s,s 



We wish to prove that A h /i (s) /s : {xi<U) ^ T. We get A h /i :=: /g : (x+f/) ^ T 
immediately by transitivity of definitional equality. Given F < A and F \- u(§) u' -kU, 
we need to show that F H /i *u (s) /a *u' : T[n/x]. 

AsF l-_(s)_:C/isa PER by induction hypothesis, we have F \- u (^ u-kU, which 
entails /i *u (§) f2*u : T[u/x]. From F \- u (§) u' i^ U also have F H /2 *u (s) /a *u' : 
T[u/x], which allows to conclude F ^ fi*u(§) f^ *u' : T[u/x] by transitivity at T[u/x]. 
Case Now, we consider function spaces: 
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Case Transitivity: 

A h C/i d C/2 : si 

W <A, T \-u®u'i<Ui ^ r h Ti[u/x] ® T2[u'/x] : S2 
A h (x^^i) ''4' Ti :=: (x^^a) '^' T2 : s-j 
A h (x*C/i) "4' Ti (D (x*t/2) '^' T2 : S3 



A h [/2 (D C/3 : si 

vr < A, r h n d li' • c/2 ^ r h r2[u/x] © TgK/x] : S2 



A h (x^C/2) ^^ r2 :=: (x^C/a) '4' T3 : ^3 

A h (x*C/2) '^' T2 (D (x^C/a) 'i^' Ts : S3 

By transitivity we have A h (x-kUi) — > Ti :=: (x-kU^) -^ T3 : s^ and A h C/i (S) C/a : si 

by induction hypothesis on si. 

Note that this is where the arrow sort annotations are useful. Without them we would 

not know that the sorts in both derivations are equal. We could have A \- Ui (§) U2 '■ si 

and A h C/2 © f/3 : s'^ for apparently unrelated si and s'l, and would therefore be 

unable to use transitivity. 

Given T < A and T \- u(i)u' -kUi, we need to show that T h Ti[u/x] © T^lu'/x] : S3. 

As © at type C/ is a PER by induction hypothesis, we have F h u © u-kUi, from which 

we can deduce F h Ti[u/x] © T2[m/x] : S2. By conversion using A h C/i © C/2 : si - 

weakened at F - we have F h n © u' t^t C/2 , which implies F h r2[M/x] © Tslu' /x] : S2- 

This allows us to conclude by transitivity at type S2. 

D 

In the following we show that the variables are in the logical relation, i. e., A h x © x : 
A(x) for well-formed contexts A. As usual, this statement has to be generalized to neutrals 
n to be proven inductively. 

Lemma 4.4 (Into the logical relation). Let T ^ s. If A \- n :=: n'-kT then A h n © n'-kT. 

Proof. By induction on T € s. 

Case A^ € s and A h n :=: n' -k N. Then A h n © n' * A^ by cases on *, unfolding 

definitions. 
Case s e s' and A |- A^ :=: A^' * s. Then A h AT © A^' * s by cases on -k. 
Case [x-kU) -^ T e S3 and A h n :=: n' •o {x*U) -^ T. 

First, the case for *o = - We have A h n :=: n' : {x-kU) — > T. Assume arbitrary 
F < A and F h u © u' • C/, which yields F h u :=: u' * C/ and F h T[u/x\ © T[u/x\ : 82- 
By weakening, T \- n*u :=: n'*u' : T[u/x], thus, by induction hypothesis, F \- n*u (§) 
n'*u' : T[u/x], q.e.d. 

The case for *o = -^ proceeds analogously. 

D 
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4.3. Validity in the Model. We now extend our logical relation (§) to substitutions, by 
induction on the destination context. 



Ahcr(Dcr':r A h a{x) ® a'{x) i. Ua 



Ahf7(Dcr':o Ahcr(Dcr':r. x*C/ 

This relation inherits weakening from (S) for terms. 

We then define the context ( Ih F), type (F Ih T = T') and term (T \\- t = t' : T) validity 
relations, by induction on the length of contexts. 

IhF ThU T\hT = T':s F Ih T = T 



Iho WT.x-kU T\VT = T' FlhT 

Ih F (F Ih r unless T = s) 
VA, a, ct', a h ct I) ct' : F =^ A h tcr © t'a' : Ta F Ih t = t : T 

F Ih i = t' : T Flht :r 

Because of its asymmetric definition, the logical relation on substitutions may not be a PER 
in general, but it is for valid contexts. 

Lemma 4.5 (Substitution relation is a PER). If Ih F, then A h _ (s) _ : F is symmetric 
and transitive. 

Proof. By induction on F. We demonstrate symmetry for the case IhF. x-kU. 

A\-ai)a':T A h a{x) i) a'{x) *Ua 

A \- a®a' :T. x*C/ 

By induction hypothesis, A h cr' (S) o" : F, and by symmetry of (S) for terms (Lemma 14. 3p . 
A h a'{x) (D a{x) -k Ua. We instantiate F Ih [/ to A h C/a (S) Ua' : s and conclude 
A h a'{x) (D cr(x) -k Ua' by conversion (Lemma I4.2p . D 

Lemma 4.6 (Validity is a PER). The relation F Ih _ = _ : T is symmetric and transitive. 

Proof. Symmetry requires symmetry of (S) for substitutions and conversion with A h Ta (S) 
Ta' : s', similar as in Lemma 14.51 

We demonstrate transitivity in detail. Given F Ih ti = t2 '■ T and F Ih ^2 = ^3 ^ ^ we 
show F Ih ti = is : T. Clearly, Ih F and F Ih T or T = s by one of our two assumptions. 
Assume arbitrary A h o" (S) a' : F and show A h tia (S) tsci' : Ta. By Lemma 14.51 
A h 0" (D 0" : F, thus A h tia (S) t2a : Ta. Also, A h t2a (S) t^a' : Ta which entails our goal 
by transitivity of (§) (Lemma 14. Sp . D 

Lemma 4.7 (Function type injectivity is valid). // F Ih (x-kU) -^ T = {x-kU') —^ T' 
then si = s'l and S2 = s'2 and F Ih [/ = [/': si and F. xkTJ' \\- T = T' : S2. 

^^ ^^ „/ „/ 

Proof Assume arbitrary A h cr (s) cr' : F. We have A h (xkUa) "^4^ Ta (S) {xi^U'a') i^' 

T'a' : S3, thus by definition si = s'^ and S2 = s'2 and A h U'a' (S) Ua : si — note that sorts 
are closed and therefore invariant by substitution. By symmetry of ©, and since A, a, a' 
were arbitrary, we have F Ih [/ = [/': si. 

Further, assume arbitrary A \- u (§) u' -k U'a and let p = {a,u/x) and p' = {a',u'/x). 
Note that w. 1. o. g., x dom(F) and x FV([/') and A \- p ® p' : F.x-kU'. We have 
A h Tp (D T'p' : S2 and since p, p' were arbitrary, F. xkrU' h T = T' : 82- □ 
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Lemma 4.8 (Context satisfiable) . // Ih T then h T and T h id (S) id : T. 
Proof. By induction on T. The o case is immediate. In the F. x-kU case, given 

ihr rihc/ 



we can use inference 

r. xirU h id (|) id : r T. xi.U h id(x) © id(x) * U\d 

r. x*U h id d id : r. xkU 

From the induction hypothesis F h id (s) id : F, we obtain the first premise by weakening 
of d). It also yields F h [/id : sid for some s by definition of F Ih U. Using induction 
hypothesis, h F, this entails h F. x-kU. Further, F. x-kU \- x = x -kU, and since trivially 
F. xkU \- X i — > x-kU, we can derive F. xkcU h x (s) xkU, by the Lemma [4. 41 This concludes 
the second premise F. xkU h id(x) (S) id(x) • C/id. D 

We can now show that every equation valid in the model is derivable in IITT. 

Theorem 4.9 (Completeness of IITT rules). //F Ih t = t' : T then both F h t : T and 
F h t' : T and F ht = t' -.T andT h T. 

Proof. Using Lemma 14.81 we obtain F h t (g) t' : T, which entails F \- t,t' : T and F h t = 
t' : T. Analogously, since our assumption entails F Ih T by definition, we get F h T. D 

4.4. Fundamental theorem. We prove a series of lemmata which constitute parts of the 
fundamental theorem for the Kripke logical relation. 

Lemma 4.10 (Resurrection). // Ih F and A h a (S) a' : F then A"^ \- a ® a : T^ and 
A- h(T'(|)a':F-. 

Proof. By induction on F, the interesting case being 

A \- a$)a' -.r Ah a{x) © a'{x) k Ua 

A \- a®a' -.T. xi^U 

First, we show A~ h o" © o" : (F~. x : U). By induction hypothesis A~ h o" © o" : F~, and 
by definition, A~ h o"(x) © (j{x) : Ua. This immediately entails our goal. 

For the second goal A~ h cr' © cr' : (F~. x : U), observe that F Ih U, hence A h Ua © 
Ua' : s for some sort s. Thus, we can cast our hypothesis A h a'{x) © a'{x) : Ua to Ua' 
and conclude analogously. D 

Corollary 4.11. //F* Ih n : C/ and A h cr © cr' : F then A h ncr © ncr' * Ua. 

Proof. In case • = : it holds by definition, but we need resurrection for •=-^. If A hu© 
a' : F, then by resurrection (Lemma 14. lOp we have A~ h o" © cr : F~, so from F~ Ih n : [/ 
we deduce A~ \- ua (^ ua : Ua. Analogously we get A~ h ua' © ua' : Ua' which we cast 
to A^ h ua' © ua' : Ua. D 

Lemma 4.12 (Validity of /3-reduction) . 

T.x*U\^t:T Vlhu-.U 



F Ih {XxkrU. t) ^-u = t[u/x] : T[u/x] 
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Proof. \\- r is contained in the first hypothesis T \\- u-kU. Then, given A h p (S) p' : F 
we need to show A h {Xx-kU.t)p*up (s) t{p',up' /x) : T(p,up/x) and also A h T[u/x\p (S) 
T[u/x\p' : s for some s (the latter to get F Ih T[M/a;]). 

Let a = (p, up/x) and a' = {p', up' /x). From the second hypothesis and Cor. l4.11] we get 
A h np (S) up' • Up, which gives A h cr (S) o"' : F. x-kU. By instantiating the first hypothesis 
we get A h tcr (D ta' : Ta, and also (from the premise T.x-kU Ih T) A h Ta = Ta', which 
gives F Ih T[u/x]. 

Finally, from A h tcr (s) ta' we get the desired A h {XxkU. t)p*up (§) ta' : Ta, as (S) is 
closed by weak head expansion to well-typed A h {\x-kU.t)p*up : Ta. D 

Lemma 4.13 (Validity of r/). 

F Ih t : (x*C/) -^ T 



T\\-t = XxkU.t*x : (xkU) -^ T 

Proof. Ih F and F Ih [x-kU) -^ T are direct consequences of our hypothesis. Given A h p (S) 
p' : F, we need to show A h tp (s) {Xx-kU.t*x)p' : {(x-kU) — )■ T)p. W. 1. o. g., x is not free in 
the domain nor range of substitutions p and p', thus with t' := tp, t" := tp' , U' := Up, U" : = 
Up', T' := Tp and T" := Tp' it is sufficient to show A h t' © Xxi^U". t" ^x : {xi<U') -^ T'. 

First, given {A',u,u') such that A' < A and A' \- u ® u' k U' , we show A' \- t'*u® 
{XxkU".t"*x)*u' : T'[u/x]. Our hypothesis F Ih i : (xkU) -^ T entails A h tp © tp' : 
{{x-kU) -> T)p, that is to say A h t' (S) t" : {xkU') -> T'. This logical relation at a 
function type, when instantiated to (A',n, n'), gives us A' h t'*n (s) t"*u' : T'['u/a;], which 
weak-head expands to the desired goal. 

Second, we show A h t' :=: XxkU".t"*x : {xkU') -^ T' . 

• F h t' : (xkrU') — > T' is a simple consequence of our hypothesis F Ih t : {x-kU) — >■ T. 

• F h Xxi^U". t"''x : {xkU') -^ T' has the following proof: 

F Ih t : (x*C/) -^ T 



A h t" : {xi.U") -^ T" 

weak var 



A. xi.U" h t" : {x-kU") -^ T" (A. xi<U"y h x : f/" F Ih {xkU) -^ T 



A. xi.U" h t" *x -.T" Ah (x*C/") ^ T" 

A h Xxi.U".t"*x : (x*C/") ^ T" 

conv 

A h XxkU".t"*x : (x*C/') ^ T' 

• A \- t' = Xx-kU" .t" *x : {x-kU') —7- T'. The //-rule of definitional equality gives us 
A h t" = Xx-kU".t"''x : {x-kU") -^ T". From F Ih {x-kU) ^ T we can convert it 
to the type {x-kU') -^ T' , and then conclude by transitivity using A h t' = t" : 
{x-kU') — > T' , which is a direct consequence of F Ih t : (x-kU) — > T. 

D 

Lemma 4.14 (Validity of function equality). 

Flh [/ = [/' F.x*C/lht = t' :T 



F Ih (Ax*;7.t) = {Xxi^U'.t') : (x*[/) -^ T 

Proof. Again Ih F and F Ih (x*C/) — )■ T are simple consequences of our hypotheses. Given 
A h p (D p' : F (w. 1. o. g., X is not free in p,p' domain or range), we need to show 
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A H (XxirUp.tp) (D {Xx*U'p'.t'p') : {{x-kUp) -^ Tp). We will skip the proof of A h 
{Xx-kU p.tp) :=: {Xx-kU'p' .t' p') : {(x-kUp) -^ Tp), as it is similar to the corresponding part 
of the 77- validity lemma. 

Given (A',u,u') such that A' < A and A' \- u (g) u' -k Up, we have to show that 
A' h {Xx-kUp.tp)*u © {Xxi<U'p'.t'p')*u' : Tp[u/x]. Let a = {p,u/x) and a' = {p',u'/x). 
As we supposed A' h n (s) u' -kU p, we have A' h o" (S) a' : F. xkcUp. Instantiating the second 
hypothesis with A', a, a' therefore gives us A' \- ta = t'a' : Ta, which can also be written 
A' h tp[u/x] (D t'p'[u' /x] : Tp[u/x], which is weak-head expansible to our goal. D 

Lemma 4.15 (Validity of irrelevant application). 

r\^t = t':{x^U)^T r-lhn:C/ T- Ih n' : [/ 
riht-^u = t'^n' :T[u/x] 

Proof. Assume arbitrary A h p (s) p' : F and show A h tp~up (S) t'p'^u'p' : T{p,up/x). 
By the first hypothesis, it is sufficient to show A \- up (§) u'p' -ir Up, which means A~ h 
up (^ up : Up and A~ h u'p' (S) u'p' : Up. By Resurrection (Lemma I4.10p . A~ h p (S) 
p : T~ , hence A~ \- up (^ up : Up from the second hypothesis. Analogously, we obtain 
A^ h u'p' (D u'p' : Up' from the third hypothesis which we can cast to Up by virtue of 
T \\- U which we get from T Ih {x-\rU) — ?> T by Lemma 14.71 D 

Theorem 4.16 (Fundamental theorem of logical relations). 

(1) // h F then Ih F. 

(2) //F hiiT theriTl^t-.T. 

(3) // F ht = t' -.T then F Ih t = t' : T. 

Proof. By induction on the derivation. D 

As a simple corollary we obtain syntactic validity, namely that definitional equality 
implies well-typedness and well-typedness implies well-formedness of the involved type. 
This lemma could have been proven purely syntactically, but the syntactic proof requires a 
sequence of carefully arranged lemmata like context conversion, substitution, functionality, 
and inversion on types |HP051 IAC07| . Our "sledgehammer" semantic argument is built into 
the Kripke logical relation, in the spirit of Goguen [GogOO . 

Corollary 4.17 (Syntactic validity). 

(1) Ifr ht:T thenV h T. 

(2) // F h i = t' : T then T h t : T and F h t' : T. 



Proof. By the fundamental theorem, F \- t = t' : T implies F Ih t = t' : T, which by 
Thm. im implies F h t, t' : T and F h T. D 
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5. Meta-theoretic Consequences of the Model Construction 
In this section, we explicate the results established by the Kripke model. 

5.1. Admissibility of Substitution. Goguen |GogOO| observes that admissibility of sub- 
stitution for the syntactic judgements can be inherited from the Kripke logical relation, 
which is closed under substitution by its very definition. 

To show that the judgements of IITT are closed under substitution we introduce rela- 
tions r h o" : r' for substitution typing and T \- a = a' : V for substitution equality which 
are given inductively by the following rules: 

r ha:o r ha:r.xi<U 

hr T ha = a' :r' T' h U T h a{x) = a'{x) * Ua 



r ha = a' :o T ha = a' iF'. x-kU 

Substitution typing and equality are closed under weakening. 

Semantically, substitutions are explained by environments. We define substitution va- 
lidity as follows, again in rule form but not inductively: 

ihr ihr' 

r Ih a = a : r VA Ih p © p' : T. A Ih crp © a'p' : V 

r ih 0- : r r Ih a = a' : r' 

Lemma 5.1 (Fundamental lemma for substitutions). 

(1) // r h cr : r then T Ih o" : V . 

(2) If T h a = cr' : r then T \^ a = a' : V . 

Proof. We demonstrate [2] by induction on F h o" = o"' : F'. 

Case 

hF 



F h o- = cr' : o 

We have Ih F by Thm. 14.161 and Ih o trivially. Also, A h o"p (S) a'p' : o trivially for any 

A h p © p' : F. 

Case 

F h 0- = cr' : F' V \-U F h a{x) = a'{x) * Ua 

F ho- = o-' -.T'.xi^U 

We have Ih F and Ih F' by induction hypothesis and F' Ih C/ by Thm. 14.161 thus, 

Ih T'.x-kU. Now assume arbitrary A h p © p' : F and show A h up © a'p' : T'.x-kU. 

First, A h (Tp © a'p' : F' follows by induction hypothesis. The second subgoal A h 

{ap){x) © [a' p'){x) -k Uap is just an instance of the second induction hypothesis. D 

Theorem 5.2 (Substitution and functionality). 

(1) //F h 0- : F' andV h t : T then F h tcr : Ta. 

(2) // F h 0- : F'. andT' h t = t' : T then F hta = t'a : Ta. 

(3) // F h 0- = ct' : F'. andT' h t : T then F h ta = ta' : Ta. 

(4) // F h 0- = cr' : F'. andT' h t = t' : T then F h to" = t'a' : Ta. 
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Proof. We demonstrate HI the other cases are just variations of the theme. First, from 
r h cr = cr' : r' we get T h a (S) a' : F' by the fundamental lemma for substitutions 
(Lemma 15. ip . using the identity environment F h id (s) id : F. Now, by the fundamental 
theorem on F \- t = t' : T we obtain F h fcr (S) t'a' : Ta, which entails our goal T \- ta = 
t'a' : Ta by Thm. \SM □ 

5.2. Context conversion. Context equality h F = F' is defined inductively by the rules 

hF = F' r hU = u' 



ho = o hT.xi^U = T'.x*U' 

All declarative judgements are closed under context conversion. This fact is easy to 
prove by induction over derivations, but we get it as just a special case of substitution. 

Lemma 5.3 (Identity substitution). // h F = F' then F h id = id : F'. 

Proof. By induction on h F = F'. 

Case 

hF = F' T ^U = U' 



hT.x^U = r.x*U' 
By induction hypothesis and weakening, F. x-kU h id = id : F'. Also, F. x-kU \- x = x-kU 
and by conversion F. x-kU \- x = x k U' . Together, F. x-kU h id = id : F'. xkU' . D 

Theorem 5.4 (Context conversion). Let h F' = F. 

{1) IfT ht:T thenV ht:T. 

(2) Ifr ht = t' -.T then T' ht = t' -.T. 

Proof By Thm. [O with F' h id = id : F. D 

As a consequence, context equality is symmetric and transitive (we can trade T \- U = 
U' for V \- U = U'). Thus, context conversion can be applied in the other direction as well. 

5.3. Inversion, injectivity, and type unicity. A condition for the decidability of type 
checking is the ability to invert typing derivations. The proof requires substitution. 

Lemma 5.5 (Inversion). 

(1) IfT h x:T then {x:U) eT for some U with F hU = T. 

(2) // F h Ax*C/. t : T then F. x^U h t : T' for some T' with F h {xi<U) -^T' = T. 

(3) // F h t*u : T then F h t : [xk^U) ^ T' and T h u k U for some U,T' with F h 
T'[u/x] = T. 

(4) IfV \- s -.T then there is (s, s') G Axiom such that F \- s' = T. 

(5) IfT \- (xkU) -^ T' : T then F \- U : si and F. xkU h T' : S2, and for some S3 we have 
F \- S3 = T and (si, 82,^3) G Rule. 

Proof. Each by induction on the typing derivation. D 

Remark 5.6. The need for inversion during type checking is the only good reason to have 
separate typing rules and not simply define typing F h t : T as the diagonal F \- t = t : T 
of equality. While by a logical relation argument we will obtain a suitable inversion result 
for F h (xkU) — )■ T = (xkU) — ?• T — the famous function type injectivity (Theorem 15. 7p — it 
seems hard to get something similar for application tu. 
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Injectivity for function types w. r. t. typed equality is known to be tricky. It is connected 
to subject reduction and required for many meta-theoretic results. We harvest it from our 
Kripke model. 

Theorem 5.7 (Function type injectivity). IfT\- [x-kU) -^ T = (x-kU') A T' : S3 then 
si = s'l and S2 = s'2 and V \- U = U' : si and T. x-kU \- T = T' : S2- 

Proof. This follows from Lemma [4. 71 Or we can prove it directly as follows: Since F h id (S) 
id : F we have by the fundamental theorem F h {x-kU) -4- T (s) [x-kU') -^ T' : S3 which by 
inversion yields first si = s'l and S2 = S2 and F \- U (§) U' : Si and F \- U = U' : Si. Since 

F. x-kU \- X (§) x-kU , we also obtain F. xk;U h T (s) T' : S2 and conclude F. xk;U \- T = T' : S2- 

D 

From the inversion lemma we can prove uniqueness of types, since we are dealing with 
a functional PTS, and we have function type injectivity. 

Theorem 5.8 (Type unicity). // F h i : T and F h t : T' then F h T = T' . 

Proof. By induction on t, using inversion. D 

5.4. Normalization and Subject Reduction. An immediate consequence of the model 
construction is that each term has a weak head normal form and that typing and equality 
is preserved by weak head normalization. 

Theorem 5.9 (Normalization and subject reduction). IfT \- t : T then t \ a and T \- t = 
a:T. 

Proof. By the fundamental theorem, F h t @ t : T which by definition contains a derivation 
oiT ht = it:T. D 

5.5. Consistency. Importantly, not every type is inhabited in IITT, thus, it can be used 
as a logic. A prerequisite is that types can be distinguished, which follows immediately 
from the construction of the logical relation. 

Lemma 5.10 (Type constructor discrimination). Neutral types, sorts and function types 
are mutually unequal. 

(1) F hiV/s. 

(2) F h TV / (xi^U) -^ T. 

(3) F h s = s' implies s = s' . 

(4) F h s / (x*C/) -^ T. 

Proof. By the fundamental theorem applied to the identity substitution. For instance, 
assuming F h A^ = s : s' we get F \- N (^ s : s' but this is a contradiction to the definition 
of©. D 

From normalization and type constructor discrimination we can show that not every 
type is inhabited. 

Theorem 5.11 (Consistency). X:Seto ]/- t : X. 
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Proof. Let T = (X : Seto). Assuming T \- t : X, we have T \- a : X for the whnf a of t. 
We invert on the typing of a. By Lemma 15.101 X cannot be equal to a function type or 
sort, thus, a can neither be a A nor a function type nor a sort, it can only be neutral. The 
only variable X must be in the head of a, but since X is not of function type, it cannot be 
applied. Thus, a = X and T \- X : X, implying T \- X = Seto by inversion (Lemma 15. 5p . 
This is in contradiction to Lemma 15.101 D 



5.6. Soundness of Algorithmic Equality. Soundness of the equality algorithm is a con- 
sequence of subject reduction. 

Theorem 5.12 (Soundness of algorithmic equality). 

(1) LetAht,t':T.IfA\-t <^ t' : T then A ht = t' :T. 

(2) Let A \-n,n' :T . If A \-n f^> n' : U then A h n = n' : U and A hU = T. 

Proof. Generalize the theorem to all six algorithmic equality judgments and prove it by 
induction on the algorithmic equality derivation. Since we have subject reduction, the 
proof proceeds mechanically, because each algorithmic rule corresponds, modulo weak head 
normalization, to a declarative rule. 
Case A h T : s and A' h T' : s and 

A h iT ^^ IT' 
A hT<^~T^ 
By induction hypothesis, A h |T = |T' : s. By subject reduction A h T = |T : s and 
A \-T' = iT' : s. By transitivity A \-T = T' : s. 

Case 

A \-T 4^ T' 



A hT <^=^T' :s 
By induction hypothesis, A \- T = T' : s. D 

5.7. Symmetry and Transitivity of Algorithmic Equality. Since algorithmic equality 
is sound for well-typed terms, it is also symmetric and transitive. 

Lemma 5.13 (Type and context conversion in algorithmic equality). Let h A = A'. 

(1) IfAhA,A'andAhA^^ A' then A' h ^ ^^ A'. 

(2) If A \- n,n' : A and Ah?! < — > n' : A then A' \- n < — > n' : A' for some A' with 
A h A = A'. 

(3) If A "r t,t' : A and A "r t ^^ t' : A and A h A = A' then A' h t ^^ t' : A'. 

Proof. By induction on the derivation of algorithmic equality, where we extend the state- 
ments to -f^^ and 4=^ accordingly. 
(1) Type equality. 

Case 

A \-U <^ U' A. x-kU \-T 4^T' 

A h (x*f/) -^ T ^^ {x*U') -^ T' 
By inversion, A \- U,U' and by induction hypothesis. A' \- U <=^ U' . Again by 
inversion, A.x-kU h T and A.x-kU' h T' , yet by soundness of algorithmic equality, 
A \- U = U' , hence A.x-kU h T' by context conversion. Further, h A.x-kU = 
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A'.x-kU. Thus, we can apply the other induction hypothesis to obtain A'.x-kU h 

T 4^ T', which finally yields A' h (x*C/) -^ T ^^ {x-kU') -^ T' . 

(2) Structural equality. 

Case 

{x:T) G A 

A h x^^ X : T 
Since h A = A', there is a unique {x : T') G A' with A \- T = T' . Hence, 
A' h X f^ x : T'. 
Case 

Type-directed equality. 

Case A h t, i' : T and A h T = T' and 

T\A A h t ^^ t' : A 
A h t 4^ t'Tf 
By normalization, T' \ A' , and subject reduction A \- A = T = T' = A! . Since 
by conversion, A h t,t' : A, by induction hypothesis A' h t <;=^ t' : A!. Thus, 
A' h t 4^ t' : T'. 
Case A h (x*C/) ^ T = A' and 



A ht^^t' : {x*U) -^ T 

By injectivity A' = {x-kU') -^ T' with A h [/ = [/' and A. xW hT = T'. Since 
h A. a;*C/ = A'. x-kU', by induction hypothesis we have A'. x-kU' \- t*x 4=^ t' *x : 
T'. We conclude A' h t ^^ t' : {x^U') ^ T' . D 

Lemma 5.14 (Algorithmic equality is transitive). Let h A = A'. In the following, let the 
terms submitted to algorithmic equality he well-typed. 

(1) If A \- rii ^r^—^ 712 : T and A' h n2 ^-^^ n^ : T' then A h ni -f^^ ^3 : T and 
A hT = T'. 

(2) If A hti 4^ t2 : T and A' h ^2 <^ ts : T' and A h T = T' then A h ti 4^ ts : T. 

(3) If A h Ti 4^ T2 : s and A' h T2 4^ T3 : s then A h Ti 4^ Tg : s 

Proof. We extend these statements to < — > and <;=> and prove them simultaneously by 
induction on the first derivation. 

Case 

A h ni ^^ n2 : T A' h n2 f^ n^ : T' 

A h ni <;=^ 712 : iV A' h 712 ^^^ ris : N' 

By induction hypothesis A h 7ii -f^^ 77,3 : T, hence, A h 77i <;=^ 773 : N. 

Case 

A \- Ni ^r^ N2 : T A \- N2 ^^ A^3 : T' 

A h Ni ^^ N2 Ah N2 ^^ N3 

Analogously. 
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Case 

Ahnii — >7i2:{x:U)'H^T A h m 4^ U2 : U 
A \- niui -f^^ 712 U2 : T[ui/x] 

A' h n2 < — > ns : {x : U') 'i^' T' A' h U2 <^ ug : U' 
A' h 712 U2 -f^^ ^3 1*3 : T'[u2/x] 

By induction hypothesis we have A h ni i — > n^ : {x : U) -^ T and A \- {x :U) -^ 

T = (x : U') ^ T' which gives in particular si = s'^,S2 = ^2, and A \- U = U' : si 
by function type injectivity (Thm. 15. 7p . By induction hypothesis we can then deduce 
A h ui 4=^ U3 : [/, and therefore conchide A h riiui < — > n^u^ : T[ui/x]. 
Case 

AhUi4^U2: si A. x*C/i h Ti 4^ T2 : S2 

A h (x*C/i) 'i^' Ti ^^ (x*C/2) '^' r2 : S3 

AhU2<^U3:si A. x*U2 h T2 4^ T3 : 52 

A h (x*C/2) '^' T2 ^^ (x*C/3) '^' r3 : S2 

We get A h [/i 4=» [/3 : si by transitivity. To also get A. x-kUi h Ti 4=^ T3 : S2 we 
need h A. 2;*C/2 = A.x*t/i, but this stems from A \- Ui <=^ U2 : si by soundness of 
algorithmic equality. D 

Theorem 5.15. The algorithmic equality relations are PERs on well-typed expressions. 

Proof. By Lemma 15.141 and an analogous proof of symmetry. D 

6. A Kripke Logical Relation for Completeness 

The only open issues in the meta-theory of IITT are completeness and termination of 
algorithmic equality. In parts, completeness has been established in the last section already, 
namely, we have shown injectivity and discrimination for type constructors. What is missing 
is injectivity and discrimination for neutrals, e.g., if A \- nu = n' u' : T' then necessarily 
A h n = n' : (x : [/) — 7- r and A \- u = u' : U, plus A h T[u/x] = T' . In untyped A- 
calculus, this is an instance of Boehm's theorem |Bar84j . We follow Coquand |Coq91| and 
Harper and Pfenning |HP05j and prove it by constructing a second Kripke logical relation, 
©, for completeness which is very similar to the first one, (S), but at base types additionally 
requires algorithmic equality to hold. After proving the fundamental lemma again, we know 
that definitionally equal terms are also algorithmically so. As a consequence, equality is 
decidable in IITT, and so is type checking. 
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6.1. Another Kripke Logical Relation. Again, by induction on ^ € s we define two 
Kripke relations 

AhA©A':s 
A \- a © a' : A. 

together with their respective closures @ and the generahzation to -k. This time, however, 
at base types we will additionally require algorithmic equality to hold, more precisely, the 
relation A h i :<;=^: t' : T which stands for the conjunction of the propositions 

• A h t : T and A h t' : T, and 
. A h i 4^ t' : T. 

Note that by soundness of algorithmic equality, :<^^: implies :=:. 

Again, we allow ourselves rule notation for the defining clauses of ©. 

A h iV :^^: N' -.s A h n :^^: n' : N h A 

A h N ©N' -.s A hn©n' : N A h s © s : s' ^'^'^^ 

A hU^U' -.si 

Vr<A, rhu©n'*C/ =^ rh T[u/x] © T'[u'/x] -. S2 



A h (xirU) '4' T © [xirU') "4^ T' : sg 



(•Sl,S2,S3) 



Vr < A, r h n © u' • [/ =^ T h f*u© f'*u' : T[u/x] 
A h / :=: /^ jx^U) '4 T 

Ah/©/': {x*U) '4 T 

A hit ©it' -.IT A h t :=: t' : T 
A ht©t' -.T 

A- h a © a : A A- h a' © a' : A A- h t © t : T A- h t' © t' : T 



Aha©a'^^ Ahi©t'^T 

This logical relation contains only well-typed and definitionally equal terms. It is symmetric, 
transitive, and closed under weakening and type conversion. The proofs are in analogy to 
those of Section m which are relying on the fact that the underlying relation :=: is a Kripke 
PER and closed under type conversion. The relation :<;=^: underlying © has the same 
properties, thanks to soundness of algorithmic equality. 

Note that in the definition of A \~ f © f '■ (x-kU) — ?> T we did not require / and /' 
to be algorithmically equal. This would hinder the proof of the fundamental theorem for 
©, since algorithmic equality is not closed under application by definition — it will follow 
from the fundamental theorem, though. In the next lemma we shall prove that / and /' 
are algorithmically equal if they are related by ©. The name Escape Lemma was coined 
by Jeffrey Sarnat |SS08j . 

Lemma 6.1 (Escape from the logical relation). Let A \- A © A' : s 

(1) Ah A^^A'. 

(2) If A \-t©t' -.A then A h t ^^ t' : A. 

(3) If A \- n i — > n' i<A and A \- n = n' i< A then A \- n © n' -k A. 
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Corollary 6.2. Let A h T © T' : s 

(1) A hT<^T'. 

(2) If A \-t©t' -.T then A h t 4^ t' : T. 

(3) If A hn ^^^ n'-kT and A hn = n' -kT then A hn©n'-kT. 

The corollary is a direct, non-inductive consequence of the lemma, so we can use it in 
the proof of the lemma, quoted as "IH" . 

Proof of the lemma. Simultaneously by induction on A :<^=^: A' : s. 
Case A h N © N' : s. 

Case [TJ A h A^ <;=> N' by assumption. 

Case [21 We have A h it i — > it' : _, thus A h t ^^ t' : N. 

Case [3l 

First, consider -k = :. If A \- n = n' : N and A \- n i — > n' : N then A h n <;=^ n' : N 
and trivially A \- n © n' : N. 

Then, take * = -^. Note that if A^ \- n = n : N and A^ h n i — > n : A^ then 
A~ h n <^=> n : N and A~ \- n © n : N . This implies that if A \- n = n' ^ N and 
A \- n i — > n' ^ N then A h n <;=^ n' ^ N and A \- n © n' ^ N . 
Case A \- s © s : s' . 

Case m Clearly, A h s "4=^ s. 

Case El Let A h T © T' : s. Then A h T 4^ T' by IHH thus A h T ^^ T' : s 

Case El For • = : let A h iV < — > N' : s. By inversion, A h A^ ^^ iV' : T for some T. 
Then A h iV ^^ iV' and A h iV © A^' : s by definition. 

Considering * = -^, it is sufficient to observe that A'^ H A^ < — > N : s implies 
A"^ h A^ <^=^ A^ and A"^ h A^ © A^ : s by definition. 
Case A h {x*U) ^T© {xi<U') ^ T' : S3. 

Case m Similar to[2l 

Case El By assumption, A h t © t' : (x-kU) — t- T. It is sufficient to show A.x-kU \- 
t*x <^ t'*x : T. Since A \- U © U' : si, which includes A h [/, we have A.x-kU h 
x = x-kU . Since also A. x-kU \- x -r^^ x-kU, we obtain A. x-kU \- t*x © t' *x : ^T via 
IH[3l A.x-kU \- x © x-kU. IH El then entails our goal. 

Case El First, the case for -k = :. We reuse variable -k for a different irrelevance 
marker. We have A h n i — > n' : (x-kU) — )■ T. Assume arbitrary F :<?=^: F < A and 
F h u © li' * [/, which yields F h u = u' i^U andV h T[u/x] © T[u'/x] : Setj. In 
case * = : we have to apply IHElfor F h n <;=^ u' : ^U. Otherwise, we obtain directly 
F hn*u^^n'*u' : i{T[u/x]). By IHEl F h n*u © n'*u' : i{T[u/x]). 
The case for • = ^ proceeds analogously. D 

In analogy to © we extend © to substitutions and define the semantic validity judgements 
Ih'^ F and F Ih"^ i : T and F Ih'^ t = t' : T based on ©. Since by the escape lemma, 
A \- x © X : A{x), we have F h id © id : F for Ih"^ F. Finally, we reprove the fundamental 
theorem: 



Theorem 6.3 (Fundamental theorem for ©). 

(1) // h F then Ih^ F. 

(2) IfT ht:T thenVh'-t-.T. 

(3) IfT ht = t' -.T then T \^^ t = t' : T. 
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6.2. Completeness and Decidability of Algorithmic Equality. Derivations of algo- 
rithmic equahty can now be obtained by escaping from the logical relation. 

Theorem 6.4 (Completeness of algorithmic equality). F \- t = t' : T implies T \- t 4=^ 
t' :T. 

Proof. Since T h id (c) id : F, we have F \- t @ t' : T hj the fundamental theorem, and 
conclude with Lemma |6.1I2[ D 

Termination of algorithmic equality is a consequence of completeness. When invoking 
the algorithmic equality check A h t 4=» t' : T on two well-typed expressions A \- t,t' : T 
we know by completeness that t and t' are related to themselves, i. e., A \- t 4=» t : T and 
A \- t' 4=^ t' : T. This means that t, t' , and T are weakly normalizing by the strategy the 
equality algorithm implements: reduce to weak head normal form and recursively continue 
with the subterms. Running the equality check on t and t' performs, if successful, exactly 
the same reductions, and if it fails, at most the same reductions in t, t', and T. Hence, 
testing equality on well-typed terms always terminates. This argument has been applied 
in previous work to untyped equality |AC07] . Here, we apply it to typed equality; it is 
an alternative to Goguen's technique of proving termination for typed equality from strong 
normalization |Gog05| , which, in our opinion, does not scale to dependently-typed equality. 

Lemma 6.5 (Termination of algorithmic equality). Let h A. 

(1) Type equality. 

(a) Let A \- A,A'. If V :: A \- A ^^ A and A h A' ^^ A' then the query 
A h yl <;=^ A' terminates. 

(b) Let A hT,T'. IfV :: A hT 4^ T and A h T' 4^ T' then the query A h T 4^ 
T' terminates. 

(2) Structural equality. Let A \- n : T and A h n' : T' . 

(a) IfV::A \- n i — > n : A and A h n' i — > n' : A' then the query A h n i — )■ n! : ? 
terminates. If successfully, it returns A and we have A \- A = T = T' = A. 

(b) If T> :: A \- n ^-^^ n : T and A \- n' ^—^ n' : T' then the query A \- n f^^ n' : ? 
terminates. If successfully, it returns T and we have A \- T = T' . 

(3) Type-directed equality. 

(a) Let A \- t,t' : A. If V :: A \- t ^^ t : A and A ^ t' ^^ t' : A then the query 
A \- t <^=^ t' : A terminates. 

(b) Let A \- t,t' : T. If V :: A h t 4^ t : T and A hi' 4^ t' : T then the query 
A \- t 4=^ t' : T terminates. 

Proof. Simultaneously by induction on derivation D. 
(1) Type equality. 

Case A = A' = s. The query A h ^ <^=^ A' terminates successfully. 
Case A = {x-kU) -^ T and A' = {x-kU') -^ T'. First, the query A \- U 4^ U' runs. 
By induction hypothesis, it terminates. If it fails, the whole query fails. Otherwise, 
the query A. x-kU h T 4=^ T' is run. By induction hypothesis on A. x-kU h T 4=^ T 
and A. x-kU' h T' 4=^ T' , the query terminates. 
Case A = N and A' = N' neutral. By induction hypothesis on A h A^ f^^ N : T 
and A h A^' f^^ N' : T', the query A h A^ ^-^^ N' : ? terminates. Hence, the query 
A h A^ <;=^ A^' terminates. 
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Case Weak head normal forms A, A not covered by previous cases: the query A h 
A <;=> A' fails immediately, since there is no applicable algorithmic type equality 
rule. 

Case The query A h T 4=^ T' first invokes weak head normalization on T and T' . 
Both terminate since A h T 4=^ T, which implies T \ A, and analogously T' \, A' 
since A h T' 4=^ T' by assumption. Then, the query A h A <^=^ A' is run, which 
terminates by induction hypothesis on A h A <;=> A and A h A' <;=^ A' . 
(2) Structural equality. 

Case n = n' = X. The query A h n ^-^^ n' : ? terminates successfully, returning type 
A(x). Since h A, by inversion (Lemma 15. 5p A \- T = T' = A{x). 

Case Neutral relevant application for A \- nu : Tq and A \- n' u' : Tq. 

A\-n< — >n:{x:U)^T A \- u -^^ u : U 
A \- nu ^-^^ n u : T[u/x] 

A h n' i — > n' : (x : U') -^ T' A h u' 4^ u' : U' 
A \- n'u' f^ n' u' : T'[u'/x] 

The query A \- nu -f^^ n' u' : 7 first invokes query A h n < — > n' : ?. By induction 
hypothesis on A h n < — > n : {x : U) —^ T and A h n' < — > n' : (x : U') -^ T' 
the query terminates. If it fails the whole query fails. Otherwise it returns a type 
A in weak head normal form, which is identical to {x : U) ^>- T by uniqueness of 
inferred types (Lemma 13. ip . Further, A \- (x : U) —^ T = {x : U') — )> T' , and by 
function type injectivity (Thm. 15. 7p . A \- U = U' and A.x:U \- T = T'. Thus, we 
can invoke the induction hypothesis on A h n 4=^ u : U and A \- u' 4=^ u' : U 
(cast from A h it' 4=^ u' : C/', Lemma I5.13|) to infer that the second subquery 
A \- u 4=^ u' : U terminates. If this one is successful, then by soundness of 
algorithmic equality, A \- u = u' : U, which implies A h T[u/x] = T'[u' /x]. 
Case Neutral irrelevant application with typing 

A h n : (x^Ui) ^ Ti Ahu^Ui A h n' : {x^U[) ^ T{ A h u' ^ U[ 

A \- n^u : Ti[u/x] A h n'^^u' : Tl[u'/x] 

and algorithmic self-equality 

A h n i — > n : (x^U) -^ T A h n' i — > n' : {x^U') -^ T' 



A \- n '■ u -f^^ n '■ u : T[u/x\ A \- n' '■ u' -f^^ n' '■ u' : T'[u' /x] 

The query A \- n~u f^^' n' ~n' : ? invokes query A h n i — > n' : ?, which terminates 
by induction hypothesis. If successfully, then A h [x^Ui) — t- Ti{x^U) —^T = 
{x^U') -^T' = {x^U[) -^ T[. By function type injectivity, A "r Ui = U = U' = U[ 
and A. x-rC/ \~ Ti = T = T' = T[. By conversion A h u = u' -^ [/, thus, A h 
Ti[u/x\ = T[u/x\ = T'[u'/x\ = T[[u'/x\. 

Case In all other cases, the query A \- n -f^^ n' : ? fails immediately. 

Case The query A h n i — > n : ? spawns subquery A \- n -f^^ n' : ? which terminates 
by induction hypothesis on A h n -f^^ n : T and A \- n' -f^^ n' : T' . If successfully, 
it returns type T, and since T \j A, the original query also terminates, returning A. 
(3) Type-directed equality. 

Case Function type A \- t,t' : (x-kU) -^ T. The query A h t ^^ t' : (x*C/) -^ T 
spawns subquery A.x-kU \- t*x 4=^ t'* : T. Since A.x-kU h t*x,t'*x : T and the 
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subquery terminates by induction hypothesis on A.x^f/ \- t*x 4=> t*x : T and 

A.xi<U \-t'*x4^t'*x -.T. 
Case Sort A \- T,T' : s. The query A h T ^^ T' : s calls A h T 4^ T', which 

terminates by induction hypothesis on A h T 4=^ T and A h T' 4=> T'. 
Case Neutral type A^. 

t\n A h n ^^ 71 : r t' \ n' Ah ?i' ^^ n' : T' 

A ht^^tTN A ht' ^^ fTN 

The query A h i <^=^ t' : N first weak head normalizes t and i'. By assumption, 
t \, n and t' \j n' , so this terminates. The subquery A h n -f^^ n' : ? terminates 
by induction hypothesis. Thus, the whole query terminates. 

Case If A is neither a function type, a sort, or a neutral type, the query A h t <^=^ t' : ^ 
fails immediately. 

Case The query A h i 4=^ t' : T first weak head normalizes T which terminates since 
T \i Ahy assumption. Then it calls A \- t <^=^ t' : A which terminates by induction 
hypothesis. D 

Theorem 6.6. If A \- t : T and A \- t' : T then the query A h t 4=^ t' : T terminates. 

Proof. From the lemma by completeness of algorithmic equality. D 

Thus we have shown that algorithmic equality is correct, i.e., sound, complete, and 
terminating. Together, this entails decidability of equality in IITT. 

Theorem 6.7 (Decidability of IITT). 

(1) r \- t = t' : T is decidable. 

(2) r \- t : T is decidable. 

Proof. Decidability of equality follows from soundness (Thm. [F.12p . completeness (Thm. [67^ . 
and termination (Thm. lGTHI) . Decidability of typing follows from decidability of type conver- 
sion, weak head normalization, and function type injectivity, using inversion (Lemma 15. 5 p 
on typing derivations. Any reasonable type inference algorithm will do. D 



7. Extensions 

Data types and recursion. The semantics of IITT is ready to cope with inductive data types 
like the natural numbers and the associated recursion principles. Recursion into types, aka 
known as large elimination, is also accounted for since we have universes and a semantics 
which does not erase dependencies (unlike Pfenning's model |Pfe01| ). 

Types with extensionality principles. One purpose of having a typed equality algorithm is 
to handle ?/-laws that are not connected to the shape of the expression (like r/-contraction 
for functions) but to the shape of the type only. Typically these are types T with at most 
one inhabitant, i.e., the empty type, the unit type, singleton types or propositionso For 
such T we have the ry-law 

F ht,t' -.T 

T ht = t' -.T 



Some care is necessary for the type of Leibniz equality [Abe09[ IWer08| . 
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which can only be checked in the presence of type T. Reahzing such rj-laws gives additional 
"proof" irrelevance which is not covered by Pfenning's irrelevant quantification (x^U) — )• T. 

Internal erasure. Terms u^U in irrelevant position are only there to please the type checker, 
they are ignored during equality checking. This can be inferred from the substitution 
principle: If T. x-\rU h T and T h u,u' ^U, then T h T[u/x] = T[u' /x]; the type T has the 
same shape regardless of u, u'. Hence, terms like u serve the sole purpose to prove some 
proposition and could be replaced by a dummy • immediately after type-checking. 

Internal erasure can be realized by making T h i -^ T a judgement (as opposed to just 
a notation for T~ \- t : T) and adding the rule 

r htH-r 



r h«H-r 

The rule states that if there is already a proof t of T, then • is a new proof of T. This 
preserves provability while erasing the proof terms. Conservativity of this rule can be proven 
as in joint work of the author with Coquand and Pagano [ACPllj . 

8. Conclusions 

We have extended Pfenning's notion of irrelevance to a type theory IITT with universes 
that accommodates types defined by recursion. We have constructed a Kripke model (S) 
that shows soundness of IITT, yielding normalization, subject reduction and consistency, 
plus syntactical properties of the judgements of IITT. A second Kripke logical relation (c) 
has proven correctness of algorithmic equality and, thus, decidability of IITT. 

Integrating irrelevance and data types in dependent type theory does not seem without 
challenges. We have succeeded to treat Pfenning's notion of irrelevance, but our proof 
does not scale directly to parametric function types, a stronger notion of irrelevant function 
types called implicit quantification by Miquel |Miq01b| [] Two more type theories build 
on Miquel's calculus |Miq01a| , Barras and Bernardo's ICC* [BB08J and Mishra-Linger and 
Sheard's Erasure Pure Type Systems (EPTS) [MLSOSj . but none has offered a satisfying 
account of large eliminations yet. Miquel's model |MiqOO| features data types only as 
impredicative encodings. For irrelevant, parametric, and recursive functions to coexist 
it seems like three different function types are necessary, e.g., in the style of Pfenning's 
irrelevance, extensionality and intensionality. We would like to solve this puzzle in future 
work, not least to implement high-performance languages with dependent types. 
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A function argument is parametric if it is irrelevant for computing the function result while the type of 
the result may depend on it. In Pfenning's notion, the argument must also be irrelevant in the type. 
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